1. Field of Invention
This invention pertains in general to computer networks and in particular to a server for securely executing common gateway interface programs.
2. Background of the Invention
An Internet Service Provider ("ISP") may host web pages for many different customers. For example, a typical ISP may provide web hosting services for thousands of customers. These services primarily include providing storage space for web pages and CGI programs, processing time for responding to access requests and executing programs called by the web pages, and network bandwidth for sending data to and receiving data from client browsers.
The customers' web pages often refer to Common Gateway Interface ("CGI") programs (also referred to as "CGI scripts"). A common use of a CGI program is to provide data in response to a client request for information through back-end processing. For example, a CGI program may provide flight status information, a directory listing, or driving instructions in response to a web page-based query.
CGI programs may be written in any language understandable to the executing server, including, for example, C, Perl, or a shell script. CGI programs usually reside in a "/cgi-bin/" directory on the web server or logically connected to the web server. When a link to a CGI program on a web page is selected, the web server executes the CGI program, passes along information from the web page, and transmits the outputted information back to the client browser.
On a server running a variant of the UNIX operating system, each process executed by the server has an associated user identification ("UID"). The UID identifies the user who executed the process, and is used to determine the permissions available to that user. In a typical web hosting environment, CGI programs executed by the web server have a UID identifying the web server. This situation is undesirable because it grants any CGI program all of the permissions and associated capabilities available to the web server. Therefore, a malicious user could write a CGI program that abuses its permissions and harms the web server.
To avoid this potential security breach, certain web servers have the capability of executing the CGI program using a different UID. For example, the Apache HTTP Server Version 1.3 includes the suEXEC feature, which provides Apache users with the ability to run CGI programs under UIDs different from the UID of the calling web server. Thus, the web server can be configured to execute the CGI program with the owning customer's UID or with a special "safe" UID.
However, the suEXEC feature does not provide a security model robust enough for sophisticated web hosting needs. A web host, for example, may provide a remote access feature wherein the customer uses CGI programs to update files on the web server. In such a case, the web server must authenticate that the client is the customer before executing the CGI. Otherwise, non-customers would be able to execute CGI programs and overwrite the customer's data. Likewise, it is sometimes desirable to allow an authenticated customer to write data that even the customer cannot later alter.
Accordingly, there is a need for a more sophisticated security model for web servers. Preferably, this security model would work with existing web servers and without requiring major upgrades of hardware or software.